I have successfully setup Pihole on an Ubuntu server and am forcing DNS lookups to that server by following these instructions::
Redirect DNS traffic that is neither to nor from the PiHole, to the PiHole
1 ;;; redirect DNS to PiHole
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=udp src-address=!192.168.1.2 dst-address=!192.168.1.2 dst-port=53
2 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp
src-address=!192.168.1.2 dst-address=!192.168.1.2 dst-port=53
All DNS queries to PiHole shall appear to come from the router
3 ;;; hairpin NAT for PiHole
chain=srcnat action=masquerade protocol=udp src-address=192.168.1.0/24 dst-address=192.168.1.2 dst-port=53 4 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24
dst-address=192.168.1.2 dst-port=53
However, the hairipin NAT rules don’t seem to be doing anything. The counters in Winbox show 0 for both. Any ideas?
This is a catcher for traffic that want to passby the normal path. That are line one and two.
First you are going to tell the clients in DHCP that they are going to use the pi-hole as DNS. If that works then you are pointing the DNS of the router itself to pi-hole.
If that works then you are doing somting like this to catch someting like nslookup pi-hole.net 8.8.8.8 so that it ends up not with Google but with your pi-hole.
Thanks for the quick response. Lines 1 and 2 are understandable but 3 and 4 made no sense to me and didn’t appear to be doing anything. i will just delete them.
OK, I originally said the last two lines didn’t seem to be doing anything because the counters in Winbox weren’t increment. I realized I screwed up my CIDR address range. The counters are now incrementing, and redirecting to the PiHole works whether those 2 lines or are enabled or disabled.
This got me thinking.. I have the DNS under IP->DHCP Server->Networks set to my PiHole which is at 192.168.5.50. With those two lines in place, which in my case is:
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=192.168.0.0/16 dst-address=192.168.5.50 dst-port=53
/ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/16 dst-address=192.168.5.50 dst-port=53
does that make it so I could set the DNS server for my DHCP clients to the Mikrotik (192.168.5.1) and it transparently directs it to the PiHole since the routers DNS server is set to the PiHole also? Sorry if this question is not clear.
My answer did mentioning two places (DNS and DHCP) to change setting towards Pi-hole. If you have done that and it seemed you did because either with or witout those two lines it worked.